Published in Courting the Law – Photo by Small Business Ireland
With technology and digitization taking over the world, data protection laws are becoming the need of the hour. As some countries move forward with robust and effective laws and regulations to safeguard the personal data of individuals, a vacuum continues to exist as no formal data protection regime has been adopted by India and Pakistan yet.
One reason for this is a majority of the population in both countries not having any knowledge of what personal data is and why citizens need to protect it. In simple terms, personal data includes the name, birth date, national identity number, home address and other such details of an individual. Tech giants all over the world, including Facebook, Google and Twitter, acquire the personal data of individuals and often tend to use it without consent. The memory of the Cambridge Analytica scandal− in which Facebook admitted that personal data of approximately 87 million users had been shared with Cambridge − still haunts us. Closer to home, in January 2018, Careem admitted that the personal data of its users had been stolen by hackers. Till date, ordinary citizens have no remedy which allows a direct claim to be brought against Careem or any other company for not taking effective measures to safeguard our personal data. This is why there is an urgent need for effective laws on data protection.
2018 was, however, a remarkable year for the two countries in moving forward as they formulated draft Bills on data protection. The question remains as to whether the standards of these Bills are anywhere near the standards of the European Union’s General Data Protection Regulation (GDPR).
Pakistan introduced the Draft on Data Protection and Privacy in 2018 to ensure that the right to privacy (which is a fundamental right under the Constitution of Pakistan) is protected. Therefore this Draft is a welcome step in protecting the data of Pakistani citizens, but it too has its shortcomings.
Firstly, it is too narrow in terms of scope. The Draft applies only to commercial entities. Government or state-owned institutions are exempt from its jurisdiction. This means that if state-owned institutions misuse or leak personal data or do not take effective measures to safeguard it, individuals will have no claim under the draft law against them. Hacks at NADRA are very common. It is also common for individuals working with government authorities to use the personal data of citizens for vested interests. Currently, any government employee can acquire the personal data of citizens from government databases and misuse it for financial gains and easily get away with it without accountability. Under the draft Bill, sadly, this would not change.
Moreover, the Draft exempts processing of personal data exclusively for journalistic, literary or artistic purposes. Although this ensures press freedom, the potential for misuse or leaks of confidential personal data by the press still remains a possibility. To deal with these nuances, the scope of the Draft must be revised before it becomes law.
Finally, the federal government has been granted broad powers under the Draft. If government authorities feel it is reasonably necessary to acquire or share personal data of individuals without their consent, they can do so. This also leads to the potential of misuse by government institutions.
On the other hand, India’s draft Bill is expansive in scope and is a key development in the evolution of data protection laws in India. The draft Bill came about as a result of the Indian Supreme Court’s landmark judgment in August 2017 in which a nine-judge bench held the right to privacy to be a fundamental right and directed the government to enact a comprehensive law on data protection.
The draft law on personal data protection had been formed in 2018 under the supervision of a retired Indian Supreme Court judge, Justice Srikrishna. It currently awaits approval from the legislature. The scope of the Draft extends to both commercial entities and government institutions. It also extends to companies outside the territory of India and requires them to comply with its requirements if such companies process personal data of individuals on India territory. Inspired by the GDPR, it explicitly establishes the right to be forgotten which essentially allows individuals to have their personal data restricted or prevented from continuing disclosure.
If the draft Bills being floated for adoption do get adopted by the Pakistani and Indian legislatures, they will surely serve as remarkable steps for the data protection of citizens on both sides of the border, which is a crucial need of the hour. However, while the Indian Draft seems almost as effective as the GDPR, many provisions in Pakistan’s Draft need to be revisited to ensure greater protection of personal data. As our dependence on technology increases for modern living and governance, it is hoped our data is as well protected as our neighbor’s.